Home Malware Programs Backdoors Okrum

Okrum

Posted: July 19, 2019

Okrum is a backdoor Trojan that can provide attackers with means of taking control of your PC, such as downloading or uploading files. This threat is a tool of the Ke3chang APT, a China-based team of hackers that targets diplomatic entities. Adhering to best practices for network safety and keeping anti-malware products available for removing Okrum on sight are highly recommended.

Backdoors Opening Up to Advanced Monitoring Software

Although its campaigns and the tools it uses within them are multiple years old, Ke3chang is one of the less thoroughly-examined of threat actors within the field of (most likely) state-sponsored espionage. Malware experts characterize this China-based team of hackers with a regular rotation of techniques for introducing a semi-consistent set of threats with general-purpose, backdoor, and data-exfiltration capabilities. Out of the many programs that Ke3chang makes use of, Okrum is one of the few that serves a double role as both a backdoor Trojan unto itself and a Trojan downloader for secondary backdoor Trojans.

Okrum isn't the first stage of an infection attempt, but, instead, gets its installation from one of a series of regularly-swapped-out exploits and Trojan droppers that Ke3change leverages through unknown methods. It uses steganography, or the technique of hiding code inside of images, as one of multiple means of hiding its identity, and includes various checks against analysis environs and virtual machines. Malware experts, also, are labeling Okrum as system-persistent, which it achieves with a fake service for the Removable Storage Manager.

Okrum's payload has a narrow, but incisive emphasis on processing CMD commands for letting the threat actor control the PC. Examples of these attacks include uploading stolen files from the computer, downloading and installing other threats like keyloggers, and making unwanted system settings changes. Network admins should note that, traditionally, Okrum's C&C server contact includes misleading domain names that pretend that they're related to benevolent services, such as a Slovakian map site.

Meeting the Rest of Okrum's Friends

As a solitary Trojan, Okrum offers limited but highly-useful features for any attacker who's wishing to escalate a network breach into something exploitable and profitable. However, malware researchers frequently correlate Okrum infections with the presence of other threats beyond itself. The Ke3chang APT, often, uses third-party tools, such as the password-collecting Mimikatz, or in-house ones like the backdoor Trojans Ketrican and RoyalDNS. Okrun is, therefore, not a Trojan campaign's stopping point, but an intermediary that enables more and worse attacks.

Networks never should leave RDP features open for threat actors' abuse and should keep all credentials for logging in and acquiring admin access set to unique and complex values. E-mail is another possibility for infection, although it's one that requires an employee's interaction with an attachment or link before endangering the PC. Standardized best practices for network security can help diplomatic institutions and other, likely targets of Ke3chang evade attacks.

In addition to other precautions, users should update anti-malware solutions for guaranteeing the detection and removal of Okrum efficiently or catching any vulnerabilities related to installing it.

Okrum is a backdoor Trojan that holds the door open for its 'friends' to make their way inside. While it's not a very complicated case of programming, it does what it needs to do in an age of monitoring through software.

Loading...